[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd

Adam Stokes adam.stokes at canonical.com
Tue May 15 17:38:59 UTC 2012 

** Description changed:

- On Karmic (alpha 4 plus updates), changing the nsswitch.conf 'passwd'
- field to anything with 'ldap' as the first item breaks the ability to
- become root using 'su' and 'sudo' as anyone but root.
+ SRU Request:
+ 
+ [Impact]
+ As heavily outlined in the amount of comments in this bug the impact is detrimental to both community and enterprise users alike.
+ 
+ [Development Fix]
+ Howard Chu released a patch in #73 which was later confirmed in #106 & #108 as a resolution. The patch has since then made its way into the latest development tree.
+ 
+ [Stable Fix]
+ Patch from #73 can be applied cleanly to Lucid and new distributions.
+ 
+ [Test Case]
+ On Karmic (alpha 4 plus updates), changing the nsswitch.conf 'passwd' field to anything with 'ldap' as the first item breaks the ability to become root using 'su' and 'sudo' as anyone but root.
  
  Default nsswitch.conf:
  
  passwd:         compat
  group:          compat
  shadow:         compat
  
  matt at box:~$ sudo uname -a
  [sudo] password for matt:
  Linux box 2.6.31-9-server #29-Ubuntu SMP Sun Aug 30 18:37:42 UTC 2009 x86_64 GNU/Linux
  
  matt at box:~$ su -
  Password:
  root at box:~#
  
  Modified nsswitch.conf with 'ldap' before 'compat':
  
  passwd:         ldap compat
  group:          ldap compat
  shadow:         ldap compat
  
  matt at box:~$ sudo uname -a
  sudo: setreuid(ROOT_UID, user_uid): Operation not permitted
  
  matt at box:~$ su -
  Password:
  setgid: Operation not permitted
  
  Modified nsswitch.conf with 'ldap' after 'compat':
  
  passwd:         compat ldap
  group:          compat ldap
  shadow:         compat ldap
  
  matt at box:~$ sudo uname -a
  [sudo] password for matt:
  Linux box 2.6.31-9-server #29-Ubuntu SMP Sun Aug 30 18:37:42 UTC 2009 x86_64 GNU/Linux
  
  matt at box:~$ su -
  Password:
  root at box:~#
  
  The same arrangements in nsswitch.conf work as expected in Jaunty and
  earlier releases.
  
+ [Regression Potential]
+ This should be minimal as the code change only addresses the duplicating global_init during thread callbacks.
+ 
+ 
  Lucid Release Note:
  
  == NSS via LDAP+SSL breaks setuid applications like sudo ==
  
  Upgrading systems configured to use ldap over ssl as the first service
  in the nss stack (in nsswitch.conf) leads to a broken nss resolution for
  setuid applications after the upgrade to Lucid (for example sudo would
  stop working). There isn't any simple workaround for now. One option is
  to switch to libnss-ldapd in place of libnss-ldap before the upgrade.
  Another one consists in using nscd before the upgrade.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libnss-ldap in Ubuntu.
https://bugs.launchpad.net/bugs/423252

Title:
  NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2
  suexec, and atd

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions

More information about the Ubuntu-server-bugs mailing list